Comprehensive Cloud Security Requires an Automated Approach

Comprehensive Cloud Security Requires an Automated Approach

Andras Cser, VP and Principal AnalystForrester Research

Carson Sweet, CEO and Co-founder

CloudPassage

November 12, 2013

Cloud Security: Automation and Centralization Matters

Andras Cser, VP and Principal Analyst

November 12, 2013

© 2013 Forrester Research, Inc. Reproduction Prohibited 3

Agenda

›Why is Cloud Security Important

›Challenges with Cloud Security

›Forrester’s Recommendations


Agenda



›Recommendations


Source: Forrsights Developer Survey, Q1 2013

“Which of the following cloud-based services have you employed on a regular basis?"

Other

Don't know

Nonrelational database

BPM

Mobile back end

Content delivery network

Application-level caching

Integration (e.g., Dell Boomi, IBM Cast Iron)

Message queuing

Content management

Messaging

Social (e.g., Salesforce Chatter)

Development tools/IDE (e.g. Cloud9, Cloud Foundry)

Relational database (e.g. SQL Azure)

Storage

Compute (e.g., Amazon EC2, Microsoft Azure VM Role)

2%

3%

14%

16%

18%

21%

23%

23%

26%

31%

33%

33%

37%

42%

49%

50%

Base = 175 software developers from companies with 1,000 or more employees

Cloud-based Services Employed Regularly


Source: Forrester Software Survey, Q4 2012

“Which of the following initiatives are likely to be your IT organization's top project and organizational priorities over the next 12 months?”

Increase our use of software-as-a-service (cloud applications)

Base: 1,176 North American and European IT decision-makers at firms with 1,000 or more employees

Don't know

Not on our agenda

Low priority

Critical or High priority

1%

15%

35%

48%


Why Cloud Security is like a two component glue, a unique blend:

A: The Cloud is not just a new delivery platform

B: Cloud Security is NOT just continuing security and extending it to the cloud


Cloud Pulls the CISO in Many Directions

CISO and Security

Organization Changes, aka

Uneven Handshake

2. LOB procures

cloud services

1. Cloud Offers

Irresistible Benefits

5. Security Struggles to

Reduce Cloud Security Risks

4. Data Center Is Loosely Coupled

3. CISO Can’t Say No All the Time


Cloud Security Means a Lot of Things to a Lot of People

› What interfaces our company has to have to work well with our Cloud Providers? (Security To the Cloud)

› How can a Cloud Provider (like Amazon Web Services or SalesForce.com) prove to us that they are secure? (Security In the Cloud)

› How can our company make its internal (and in some cases, Cloud Provider) security better? (Security From the Cloud)

› What are the organizational implications of Cloud and Cloud Security to our IT security organization?

Cloud Security Prepositions


Agenda



›Recommendations


General Challenges with Cloud Security› Ease of Use for End Users (you can’t control end users)

• Cloud security should not require users to change behaviors or tools

› Inconsistent Control (you don’t own everything)

• The only thing you can count on is guest VM ownership

› Elasticity (not all servers are steady-state)

• Cloudbursting, stale servers, dynamic provisioning

› Scalability (highly variable server counts)

• May have one dev server or 1,000 production web servers

› Portability (same controls work anywhere)

• Nobody wants multiple tools or IaaS provider lock-in


Challenges with Cloud Security› Data protection

› Workload separation and multi tenancy

› Information Rights Management

› SaaS providers don’t help much with security related concerns

› Network Security

› Identity and Access Management (IAM) and Privileged Identity Management (PIM)

› Business Continuity and Disaster Recovery (BCDR)

› Log Management (SIEM)


Cloud Does NOT Shift the Responsibility of Data Protection

› “When data is transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or custodian of that data.”

Cloud Security Alliance, Guidance v3.0X


Agenda



›Protecting Data In the Cloud

›Recommendations

How do we avoid this?

When it comes to responsibilities…

Who’s Responsible for IaaS Security?

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

Cu

sto

mer R

esp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

“…the customer should assume responsibility and management of, but not limited to, the guest operating system and associated application software...”

“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of host based firewalls, host based intrusion detection/prevention, encryption and key management.”

Amazon Web Services: Overview of Security Processes

AWS Shared Responsibility Model

Typical questions and

requirements:

• How can you source security

services from MSSPs?

• How can you protect security

and data at our cloud

providers?

• In general: How do we

integrate on existing on-

premise security with the

MSSPs security products?

Think Security From the Cloud


Do your homework…› Get as much detail around security from your SaaS

provider as you can

› Set clear boundaries for security responsibilities between you and your IaaS/PaaS provider

› Data protection, data protection, data protection

› Don’t build your own tools

› Apply comprehensive approach to cloud security

› Centralize and scale security policy management for your cloud

› Automate your security (you can’t manually configure thousands of servers)

Thank youAndras Cser

+1 617.613.6365

[email protected]

Security automation for virtualized & cloud environments

Problem: Infrastructure Security Is Behind

› Infrastructure more distributed and dynamic than ever

› Current security models neither dynamic nor distributed

› Perimeters, appliances, hardware reliance, stable configurations, change control, endpoint security solutions… all marginalized to worthless in new models

› Without infrastructure security, all other security measures are weak (castle on sand, not bedrock)

Security teams can’t assure security or compliance, being dragged behind business

The Old Model: everything behind firewall, low rate of change, very few infrastructure stacks

The New Model: multiple stacks, broadly distributed, legacy approaches fail

Security Buyer Challenges

› Achieving compliance in cloud environments• PCI, HIPAA, ISO 27002, SOC2, SANS Top 20, NIST

› Disparate systems & high rate of change• “Dynamic” is core to cloud, new mode of operation

• Security orchestration & automation underserved needs

› Existing products don’t work well (if at all)• Technically designed for a different time

• Do not match up to dynamic cloud operational models

Why Do Existing Solutions Fail?

Network &hardware

dependencies

Lack of metered-usage licensing

Cannot handle elasticity or wide

distribution

Cannot operate across cloud

models

How we built high-scale security & compliance

automation

Objective: Consolidate & Automate Controls

Halo Security Automation Platform

Automation Needs To Work Anywhere

Automation Must Extend Current Tools

Security Automation Outcomes

› Massive reduction in security ops overhead

• Automated control deployment & orchestration

• Consolidation of otherwise disparate functions

• Single point of security & compliance management

› Security and compliance consistency

• Security & compliance that’s truly built-in

• Eliminates opportunities for human error

• Deploy once, certify many (complex compliance)

› Enables safe use of cloud models

• Security teams have confidence in controls

• Cloud projects don’t require manual intervention

Automating security enables saying “yes” to cloud, improves security, and

makes complex compliance achievable.

Key Takeaway:

Questions?

Comprehensive Cloud Security Requires an Automated Approach

Technology

Transcript of Comprehensive Cloud Security Requires an Automated Approach